The LogicHub Security Roundup: December 2021 Edition

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be covering a broad view of this past month’s threats, a series of informative use cases seen this month by our teams, and a series of recommended articles, podcasts, and other useful resources.

HIGHLIGHT

Google Chrome Use After Free

WHAT DOES IT DO?

The Google Chrome web browser frequently stores items in memory to reference later. A ‘use after free’ vulnerability means that an area of memory is referenced after the application has already freed it, and that reference causes an error resulting in corruption of data or even arbitrary code execution. More specifically from the CVE page, “​​Web Transport in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.”

POTENTIAL IMPACT

Sandbox escapes and Use After Free vulnerabilities are both highly dangerous ways of gaining unintended privileges and can cause significant losses on all portions of the CIA triad.

REMEDIATION

A stable release has been made available by the Chrome development team.

MORE INFORMATION:

https://nvd.nist.gov/vuln/detail/CVE-2021-38002

HIGHLIGHT

Zoom Buffer Overflow

WHAT DOES IT DO?

Zoom is an application for virtual meetings and calling over phone or computer. In this vulnerability, a multitude of Zoom’s different clients are affected by a buffer overflow. Buffer overflows take advantage of a lack of memory checks or errors in the way that memory is written to perform unintended actions. An application or script may be used to write data in such a way that bypasses checks in place to prevent access to forbidden areas. Details on the methodology for this vulnerability were not given, but we have seen several similar issues from Zoom clients dating back to 2017.

POTENTIAL IMPACT

As with all buffer overflows, severity is quite high due to the ability to impact sensitive parts of a system. Buffer overflows tend to hit on a base level that takes advantage of the high privileges given at that level (such as system roles).

REMEDIATION

The manufacturer has released a patch that is currently available and recommended for download.

MORE INFORMATION:

https://nvd.nist.gov/vuln/detail/CVE-2021-34423

HIGHLIGHT

Palo Alto GlobalProtect Arbitrary Execution

WHAT DOES IT DO?

Palo Alto GlobalProtect is a VPN application with extra security features for all throughput traffic. From the CVE: “​​A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue. This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17. Prisma Access customers are not impacted by this issue.”

POTENTIAL IMPACT

As with any arbitrary execution issue, this can be dangerous to all internal processes and the entirety of the CIA triad. However, due to the fact that the attacker must have access to the GlobalProtect interface, this vulnerability is slightly easier to manage.

REMEDIATION

A patch has been released by the manufacturer.

MORE INFORMATION:

https://nvd.nist.gov/vuln/detail/CVE-2021-3064

Additional Threats

Description

CUSTOMER USE CASE

Phishing Context Automation and Response

SUMMARY

Phishing can be one of the greatest attack vectors to a company. Through one email, or a single link, it is very easy for an attacker to strike and do a large amount of damage. By reviewing all of the relevant fields for a suspicious email (metadata, file hash, included links, and sender domain), it’s relatively simple to prevent that email from ever reaching its target. Many modern malware solutions can stop basic attacks and suspicious emails, but verifying the legitimacy of the anti-malware action is another story. In one case, a customer had a series of items downloaded by an employee, many of which were suspicious and flagged by the anti-malware solution. Because there were so many items, digging through them took a lot of man hours only to find no legitimate attacks.

AUTOMATED SOLUTION

By using multiple sources for review of hashes and checks against allowed domains, we can quickly pare down the amount of results that are truly suspicious. Combining the results from several lookups means that items can be scored by severity and reviewed quickly. If they appear to be more severe, items scored low enough can be automatically closed and commented on within a case. After these decisions are made, tuning can be performed to completely eliminate the lowest severity right from the source.

BENEFITS TO THIS APPROACH

The automation used in this solution may be simple, but it is powerful. The results were staggering in that all items could quickly be sorted and many were removed in the end. With phishing being one of the most common methods for attack, it’s important to keep a sharp eye on emails, and especially on links and attached files.

Recommended Reading

This section contains some interesting reading related to the state of infosec today. These articles have a simple summary that explains the basic idea of the news and links to more information.

Submit